Search

CN-122019308-A - Intelligent recognition method for software operation behavior based on deep learning

CN122019308ACN 122019308 ACN122019308 ACN 122019308ACN-122019308-A

Abstract

The invention relates to the technical field of computer software, in particular to a software operation behavior intelligent identification method based on deep learning. The intelligent recognition method comprises the steps of collecting software operation feature data, inputting the operation feature data into an intelligent recognition algorithm, judging the software operation state by combining historical feature data and correction rules stored in a cloud database, recognizing the process form software based on the process information, recognizing the plug-in form software based on the interaction information of the plug-in and a host program, receiving correction information of a recognition result and updating the recognition rules based on the correction information, and applying the updated recognition rules to other software operation behavior recognition scenes. The technical scheme can improve the identification accuracy and efficiency.

Inventors

  • PAN YONGLU
  • CHEN FEI

Assignees

  • 重庆圣享科技有限公司

Dates

Publication Date
20260512
Application Date
20260210

Claims (9)

  1. 1. The intelligent recognition method for the software operation behavior based on deep learning is characterized by comprising the following steps of: collecting software operation characteristic data, wherein the operation characteristic data comprises process information and/or plug-in interaction information; The operation characteristic data is input into an intelligent recognition algorithm, and the intelligent recognition algorithm is combined with historical characteristic data and correction rules stored in a cloud database to judge the operation state of software; Receiving correction information of the identification result, and updating the identification rule based on the correction information; and applying the updated identification rule to other software operation behavior identification scenes.
  2. 2. The intelligent recognition method for the software operation behaviors based on deep learning according to claim 1, wherein the collection of software operation characteristic data comprises the following steps: The method comprises the steps of collecting operation characteristic data of software according to preset collection frequency and collection range, storing collected data in a local storage module, uploading the collected data to a cloud database of a server end by a communication module regularly, and guaranteeing data safety by adopting encryption technology in collection, transmission and storage processes.
  3. 3. The intelligent recognition method of software running behavior based on deep learning according to claim 1, wherein the process information comprises at least one of process execution file information, process starting parameters, process associated port information, runtime interface characteristics and system resource occupation information, and the plug-in interaction information is obtained by intercepting function calls and/or message transfer between a plug-in and a host program through hook technology and/or by monitoring inter-process communication data between the plug-in and the host program.
  4. 4. The intelligent recognition method of software operation behavior based on deep learning according to claim 1, wherein the data is encrypted by adopting an AES encryption algorithm during local storage, and the encryption process is expressed as: Wherein, the In order to obtain the encrypted ciphertext, As a function of the encryption, In order to encrypt the key(s), The method comprises the steps of obtaining plaintext data, carrying out encryption transmission through an HTTPS protocol during data transmission, and carrying out desensitization treatment on correction operation records and personal information of users.
  5. 5. The intelligent recognition method for the software operation behavior based on the deep learning is characterized in that an intelligent recognition algorithm is obtained by training software operation feature sample data through a classification algorithm based on machine learning, has self-learning capability, can optimize model parameters according to user correction records and new feature data, is used for recognizing process-related features of process-type software through analysis, is used for intercepting function calls and message transfer between a plug-in and a host program through hook technology according to plug-in-type software, monitors inter-process communication data, and judges the operation state of the plug-in based on interception information and communication data.
  6. 6. The intelligent recognition method for the software running behavior based on the deep learning is characterized in that for a browser plug-in, starting, loading and function calling state information of the plug-in is obtained by intercepting API calls between a browser and the plug-in, and for an Office plug-in, starting, closing and function executing state information of the plug-in is obtained by intercepting COM interface calls between an Office application and the plug-in.
  7. 7. The method for constructing the intelligent recognition method of the software operation behavior based on the deep learning is characterized by further comprising initializing a plug-in on the target equipment, wherein the initializing process comprises the steps of establishing communication connection with a server through a preset IP address and a preset port number, creating a local database by adopting an SQLite lightweight database, and starting data acquisition according to a preset acquisition frequency and an acquisition range.
  8. 8. The method for constructing the intelligent recognition method of the software running behavior based on the deep learning according to claim 1, further comprising displaying the recognition result of the software running behavior in a list or chart form through a client interface or a Web interface.
  9. 9. The method for constructing the intelligent recognition method of the software operation behavior based on the deep learning according to claim 8 is characterized in that correction operation is initiated on an interactive interface, correct software information and correct operation states are input, a server side rule management module converts the correction operation into new software operation rules and updates the new software operation rules to a rule base, and meanwhile, corrected recognition results are issued to a client side update interface for display.

Description

Intelligent recognition method for software operation behavior based on deep learning Technical Field The invention relates to the technical field of computer software, in particular to a software operation behavior intelligent identification method based on deep learning. Background In the current digital age, accurate identification and management of the running state of software are important to ensuring the safe and stable running of a system and improving the user experience. Whether it is a large complex system at enterprise level or various application programs used by individual users, real-time and accurate monitoring and identification of software running behavior is required in order to discover potential security threats, performance problems or abnormal operations in time. However, in the actual operation of the statistical software operation, the current technical means have a plurality of defects, which seriously affect the efficiency and accuracy of the identification of the software operation behavior, and particularly realize the following aspects: The lack of default associations between current software installation information and software running information makes it extremely difficult to manage and monitor the software. In computer systems, software installation information and operating information are typically in separate states. For example, the system can easily obtain the installation information such as the installation path and the installation time of the software, and meanwhile, can also obtain the running information such as the process ID and the occupied memory, but the system cannot automatically and accurately correspond the installation information and the running information of the same software. The splitting between the information results in the need of spending a great deal of time and effort to manually establish the association when the running state of the software is tracked, which not only increases the management cost, but also is easy to cause error association due to human negligence, thereby affecting the accurate judgment of the running state of the software. For example, in an enterprise server environment, where a large amount of software is running at the same time, if installation and running information cannot be automatically associated, an administrator faces a great challenge in troubleshooting the problem, and it is difficult to quickly locate the failed or abnormal software. In the process of judging whether the software is operated, a mode of manually binding the software with a corresponding operation process is generally adopted at present. This process is not only labor and time intensive, but also very inefficient. With the increasing number of software and increasing complexity of the system, the workload of manual binding grows exponentially. For example, when a plurality of software are simultaneously run in a computer, an administrator needs to carefully check the characteristics of each software one by one, including information of a software name, a version number, an installation path, and the like, and manually associate it with a corresponding process. If the number of software is large, the work becomes extremely complicated, so that not only is the fatigue of an administrator easily caused, but also the manual operation error is extremely easy to occur. Once the error binding occurs, the software running state judgment is inaccurate, and the normal running and the safety protection of the system are affected. For example, in a large data center, massive software is run on a plurality of servers, and a manual binding mode cannot meet real-time and efficient management requirements. When the running state of software is identified, most of related products in the market adopt a single identification mode, and usually only necessary information is extracted from a process execution file and displayed as a software name. The recognition mode is too one-sided, and the characteristics of the software cannot be comprehensively reflected, so that the recognition accuracy of the software is seriously insufficient. In practical application, the names of process execution files of many software are similar, and identification is carried out only by means of the information, so that the situation of confusion identification is very easy to occur. For example, some different functional software may employ similar naming rules to name its process execution files, or some malware may deliberately imitate the process filename of legitimate software to evade detection. Under the condition, the existing identification products cannot accurately distinguish different software, so that the method not only brings trouble to users, but also can provide a multiplicative machine for the spreading and attack of malicious software, and seriously threatens the safety and stability of the system. Disclosure of Invention The invention aims to provide a sof